CVE-2025-66924 identifies a Cross-site Scripting (XSS) vulnerability in Open Source Point of Sale (POS) version 3.4.1, specifically within the Create/Update Item Kit(s) feature. This vulnerability arises due to insufficient sanitization of the 'name' parameter, which allows remote attackers to inject arbitrary JavaScript or HTML code. When a victim user interacts with a crafted input, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions within the POS interface. The CVSS 3.1 base score of 6.1 reflects that the attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable component, and it impacts confidentiality and integrity partially (C:L/I:L) but not availability (A:N). No patches or known exploits are currently available, indicating the vulnerability is newly disclosed. The CWE-79 classification confirms this is a classic reflected or stored XSS issue. The vulnerability’s exploitation could be leveraged in targeted attacks against retail environments using this POS software, potentially enabling attackers to steal sensitive customer or transaction data or manipulate POS operations.

For European organizations, particularly retailers using Open Source POS v3.4.1, this vulnerability poses a risk to customer data confidentiality and transaction integrity. Successful exploitation could allow attackers to hijack user sessions, steal credentials, or inject fraudulent transactions, undermining trust and causing financial losses. The impact is heightened in environments where POS terminals are accessible to multiple users or connected to broader enterprise networks. Additionally, regulatory compliance risks arise under GDPR due to potential exposure of personal data. The lack of availability impact means business operations may continue uninterrupted, but the integrity and confidentiality breaches can have long-term reputational and legal consequences. Since no known exploits exist yet, organizations have a window to implement mitigations before active attacks emerge.

Organizations should immediately implement strict input validation and output encoding on the 'name' parameter within the Create/Update Item Kit(s) functionality to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the POS web interface. Limit user privileges to reduce the risk of exploitation and monitor logs for unusual input patterns or error messages indicative of attempted XSS attacks. Conduct security awareness training to inform users about the risks of interacting with suspicious inputs. Where possible, isolate POS systems from general corporate networks and restrict internet access to reduce exposure. Since no official patch is available, consider applying virtual patching via Web Application Firewalls (WAFs) that detect and block malicious payloads targeting this parameter. Regularly check for updates from the Open Source POS project and apply patches promptly once released.